Rubrik Agent Cloud Advertiser

AI agents are everywhere, automating tasks and making decisions at machine speed. But agents make mistakes. Just one rogue agent can do big damage before you even notice. Rubrik Agent Cloud is the only platform that helps you monitor agents, set guardrails and rewind mistakes so you can unleash agents, not risk. Accelerate your AI transformation@rubrik.com that's R u.

Adam Hickey

B r-I k.com a PSA from Instacart it's Sunday, 5pm you had a non stop weekend.

Laurie Blank

You're running on empty and so is your fridge.

Adam Hickey

You're in the trenches of the Sunday scaries. You don't have it in you to go to the store, but this is your reminder. You don't have to.

Laurie Blank

You can get everything you need delivered.

Adam Hickey

Through Instacart so that you can get what you really need.

Laurie Blank

More time to do whatever you want. Instacart for for one less Sunday. Scary. We're here.

Isabella Royo

I'm Isabella Royo, intern at Lawfair, with an episode from the Lawfair archive for October 26, 2025. On October 9, Lawfare published a piece about proposed reforms to military acquisition in which the authors argued in favor of maintaining robust government oversight over military weapons acquisition from private contractors. The day before, a different Lawfare piece on Microsoft's decision to sever services to Israel's elite intelligence unit over their mass surveillance of Palestinians illuminated a different dimension of the emerging relationship between traditional national security entities and their private sector partners. For today's archive, I chose an episode from April 24, 2024, in which Natalie Orput moderated a panel featuring Jonathan Horowitz, Laurie Blank, and Adam Hickey entitled the Business of Navigating the Role of the Private Sector in Conflict. The four discussed how government and private sector actors bring different incentives and frames of reference to a conflict, the legal obligations that bind each party, how reputational concerns influence the relationship between them and.

Jonathan Horowitz

More Foreign.

Natalie Orput

It'S the LawFair Podcast. I'm Natalie Orpet, executive editor of Lawfare, with Jonathan Horowitz, Laurie Blank, and Adam Hickey.

Jonathan Horowitz

Things like where a private technology company provides goods or services to a belligerent in a party to an armed conflict, such that their infrastructure might qualify as a military objective. And do company executives know that? And do their lawyers know that?

Natalie Orput

Today, we're bringing you a panel discussion I moderated at the US Cyber Comms Legal Conference on April 9. The title of the panel was the Business of Navigating the Role of the Private Sector in Conflict. So the premise that we have Here for this panel is that there will need to be rapid fire communication and partnership between the private sector and government in times of conflict. But before we even get there, I think it's clear to most of us that private sector and government actors sometimes speak quite different languages. And so it's useful to understand each other's vocabulary, understand each other's frame of reference. So I want to get started there. Let me first introduce this illustrious panel before me. So we have Jonathan Horowitz, who is a legal advisor for the International Committee for the Red Cross. He focuses on new and emerging technologies in armed conflict, urban warfare and partnered operations. Then we have Laurie Blank, who is currently serving as Special Counsel to OGC at Dodge. See, I'm using acronyms too, even though I'm a civilian. She's on leave from her job as professor at Emory Law School where she directs the center for International and Comparative Law and is the director of the International Humanitarian Law Clinic. And then we have Adam Hickey, who is a partner at the law firm Mayor Brown in the cybersecurity, National Security and Government Investigations practice groups. He was previously Deputy Assistant Attorney General at the National Security Division of DOJ and before that an AUSA in the Southern District of New York. So to get us started, I think we should start with the private sector, given our audience here. And I want to just talk about, as I said, the baseline. So we're in a pre conflict, pre crisis moment. I want to talk about what private sector actors who maybe become very important for the purpose of partnerships in a time of conflict, what are they dealing with, what is their frame of reference and what are the key pieces of vocabulary that they're using. Because it's not necessarily going to be obvious that the people later gathered around a boardroom table thinking about how to deal with a request that just came in from Cybercom, are going to have just finished a conversation about an 8K or the GDPR.

Adam Hickey

So thanks, Natalie, and thanks to Cyber Command for having me here today. And I like the way you're introducing this as let's think about what normal looks like. What normal looks like. I think for most companies there are probably established information sharing relationships that may be with law enforcement, that may be with the intel community. There may be highlighting of threats that are seen through telemetry. There may be sharing with the public. This is a very small piece, I think, of what most companies are thinking about day to day. There are some technical legal restrictions on how you share information with the government, the Stored Communications act and the like. But there are usually ways to work through them. And companies find a way to share information when they need to. And requests that come in from the government can be handled in the ordinary course. That's just a small piece of what you're thinking about if you're in house legal. What you're really thinking about most of the time is an incredible intersecting patchwork of requirements depending on how you're regulated. The largest chunk of them have to do with incident reporting and thinking through when you have an obligation to tell some regulator or some state about a data breach or some foreign data protection authority, you're thinking about enforcement actions that target individuals like CISOs. And so now the environment of monitoring for a data breach and thinking about your response. Now there's a sort of personal liability sometime at stake or viewed that way. And you're thinking about bad publicity, class action lawsuits, shareholder derivative suits. And that's just the legal part. You're also thinking about reputational concerns. You're thinking about how the products you sell or what you're doing relate to cooperation with the government and whether cooperation with the government could theoretically make it harder to sell those products or services, say in Europe. You're thinking about skepticism in Europe and other parts of the world about the data you hold and where you get it and how you share it with the US Government or other governments. And so during the steady state period, I would say there are companies, maybe I'd bucket into two camps. There are those that have established normal steady state information sharing relationships, and that could be pursuant to legal process or something else. And then the rest of the companies that ordinarily think about this problem. And so as you think, as you, as we talk about the shifting in perspectives, I'll be interested in whether we're thinking about the companies like the large tech companies that already have those relationships, or are we thinking about someone who's getting a request completely out of the blue because of where they happen to be located geographically of the product they happen to make. Another consideration reputationally is also the attitudes of the workforce. Periodically you will see innovative companies with workforces concerned about just how is our product going to be used and how does that company navigate wanting to participate at the cutting edge of technological development and be part of the procurement chain, while at the same time having to deal with workforce concerns where people don't necessarily feel comfortable making weapons because they don't think that's what their job is. And so I'll just, I'll sort of give you an example of what happened during steady state, that, I think is not the way to solicit cooperation. So imagine a circumstance where a three letter agency is interested in records a company holds related to proliferation, the shipping of some sensitive equipment somewhere else in the world, and approaches a business leader in a company and asks to have a confidential, even classified relationship so that person can share information with a three letter agency and the business executive signs an NDA, feels very cool, shares the records, and months pass. And then later the company gets a subpoena apparently related to a counter proliferation investigation from doj. The GC has no idea about this confidential relationship and has to pull teeth to figure out who is sending what to where in the government. The government, because this is a sensitive relationship, doesn't want to own up to what they were asking for or why they were asking for it. And there's the at least the optic. Two things are of concern. One, did this subpoena have something to do with the information we shared? And are we sort of worse off because of our cooperation? And two, if word got out that we are secretly sharing information of this kind with the government, what would our corporate affiliates think around the world? What would our customers think? What would other governments think? Yes, we only shared certain information, but what if people thought that our relationship was cozier and that we were somehow providing access that allowed for surveillance or the like, even though there's nothing in the record to suggest that? So cutting out legal, for example, would be my number one advice for what not to do if you're looking for cooperation.

Natalie Orput

Okay, thank you, Laurie. I want to come to you with the sort of broad question of from the frame of reference that you bring, both in your capacity as a scholar and now at Dodd, in the pre conflict, pre even crisis point moment, what are the key sectors in the private sector and the key issues of concern to you?

Laurie Blank

So first, thanks very much for having me. And I do need to start by saying that I'm speaking in my personal capacity and not on behalf of DOD or anybody else. So I think when we think about the. And I'm kind of chuckling when you said pre crisis, because I'm trying to imagine what something that's not crisis.

Natalie Orput

Imagine a land.

Laurie Blank

Imagine a land far, far away where fairies flit about. Right? But just thinking about it in the international law space, you know, a lot of the. And we're going to end up talking about thresholds and definitions and et cetera, but those frameworks in international law are essentially there to provide stability, predictability, clarity. Maybe not usually, but possibly and ultimately laws. I like to think about it as about expectation. So if this happens, then this is the parameter of responses that I state or other actor have in my quiver of arrows in my toolbox. And that's the sort of parameter of options that I would expect a, I'm not going to say an adversary, but another actor in this magical pre crisis land that we live in might have. And those are generally designed predominantly to keep us in that pre crisis space. Right. So we have. If another state engages in an unfriendly act, okay, you can do a retortion, et cetera, if you think you've been the victim of an internationally wrongful act, but it's not at a level of a use of force, you might be able to take countermeasures if there's a use of force, if you're the victim of an armed attack. We have all of these thresholds and, and ultimately those are about keeping us in an environment in which we have some sense of what the rules or the reactions might be. And what that does is create that, that world of expectation, that world of predictability. Even if, you know, we don't know what the result is going to be, we at least the predictability is in the sense of this is the world in which it could happen. This is the general framing. And I think that's a really, for me, important sort of story about the, the international law piece. I think that's obviously relevant. I'll defer to Adam on the domestic side, but also for companies in thinking about what, you know, it's like a chess game. If I make this move, these are the things that could happen or might happen or what should not happen. And that's sort of how we try to avoid moving up that scale that you're going to take us up through.

Adam Hickey

Right.

Laurie Blank

And then things happen that bust us through those barriers. But I think that framing and so part of, I think one thing that's useful in thinking about this public private sector, partnership, et cetera, is whether it's education, whether it's communication, whether it's partnership awareness, whatever the right word is, is that there is a common language for that or at least a common awareness so that you're not operating in silos where one entity, those in the public sphere, the states, et cetera, have a certain set of expectations, but their potential or erstwhile partner is not living in that world and so doesn't see those same sets of thresholds, expectations, potential reactions.

Natalie Orput

Great, thank you, Jonathan. I guess same question to you and also I think just as a starting point, I think most people when they think of the icrc, are not necessarily thinking of engagement with the private sector in a pre crisis. We're not talking about Houston Bello for sure, at least not yet in our conversation. So tell us about what your concerns are in this period. And especially I think the paper that you wrote recently about educating private sector actors about international law, I think speaks very much to what Laurie was just saying.

Jonathan Horowitz

Thank you for the question. Thank you to US Cyber Command for the invitation. It's great to be on a panel with everyone. So let me, if I can, for all of you, just give a little bit of perspective of where the ICRC approaches this issue, whether it's in situations of armed conflict or, more to your questions, outside of situations of armed conflict. And it's not going to be anything particularly surprising, but ultimately it's an environment where civilians, governments, governance, municipal institutions are just highly connected to the digital environment for everything, for essential services, for transport, for agriculture, for distribution of food, for voting, whatever it may be. And what we're also seeing is as that is moving forward, we also realize there's considerable reliance on all those access points with the private sector in terms of digital infrastructure, governance, essential services. And we also see that that relationship and that partnership is building and building and building, and there's nothing wrong with that. In fact, it seems like it's sort of a logical trajectory of how the technology is working, how society is working, how governments are working, and the types of relationships that they are building with the digital tech sector, with the private sector writ large. At the same time, though, we're realizing that that also increases the vulnerability of all of us to different types of cyber intrusion, cyber disruptions and things like that. So things are becoming very connected across both in peacetime we would say sort of people and governance. But of course, if we talk about moving into situations of armed conflict, we're talking about a lot of interconnectivity between now we're moving over to civilian stuff and military stuff. And so what the ICRC is seeing is that we're seeing an environment where things getting increasingly tangled up with one another for purposes of cost effectiveness, resilience, things like that in peacetime. And then we're starting to not only imagine, but actually see what happens when that runs into a situation of armed conflict where you have different norms, different standards, but different legal obligations and different legal frameworks. And so that's one of the reasons why, either as a somewhat preventative measure or as a reactive Measure, the ICRC is taking increased interest in speaking to the private sector about these issues. So the ICRC has been around for 161 years now. We've become pretty comfortable talking to folks who are here sitting with us in military uniform to professional military institutions. Very normal. We've seen a proliferation of non state armed groups over the years. I think we're at a count of 20, 21 of about 600 plus. We've engaged with around 400 plus of those non state armed groups. The private sector is still something, is still a part of the battlefield landscape, is still an actor that's increasingly in that landscape that the ICRC is trying to, to Laurie's point, learn how to communicate their interests with our concerns, our concerns with their interests. And that's something that is a project that's ongoing, but we see it as one that will continue to be relevant over time, not one that is sort of a blip in history that will go away at any particular moment in the near future.

Natalie Orput

Okay, so let's move into our crisis phase. And I think we can here think about as a preliminary matter, in a world of cyber activity policing, the line between armed conflict and not armed conflict seems particularly complicated, and not only complicated, but perhaps not a matter of consensus among different decision makers. So let's talk about the phase at which it's very clear that tensions are reaching a boiling point. Just to throw out a couple of examples, say that a social media platform is being used to coordinate an armed attack, what seems like it will become an armed attack, and then we see actual activity on the ground. Imagine that a data broker is unwittingly selling data to an adversary or someone who will soon become an adversary. What are the things that you are thinking about and that need to be coordinated between the private sector and government actors at this phase? Laurie, you want to start?

Laurie Blank

One thing we haven't raised yet, but I think is kind of the. It's not really the elephant in the room, but it's certainly a significant issue, is state responsibility. And so anytime we're talking about this phase of, you know, tensions increasing, I mean, as you're giving examples, I'm thinking to myself, well, the immediate question has to be given, did some threshold get crossed? What is the range of options? Right. If you're thinking as a legal advisor, here's your range, this is your left and right limits. Then the policymaker has to decide, well, what? Just because I can do something doesn't mean I should do something. Hopefully it doesn't go the other Way. So one piece of this is trying to assess what action that I'm either absorbing, that I'm watching, develop, that I am concerned about developing, etc. Do any of these trigger certain reactions that I might be able to take again as a state? And that's assuming that you're on the receiving end of such activity. And so then we're thinking about things like prohibited intervention. We're thinking about whether or not some act that might trigger the authority to use countermeasures has taken place. We might be thinking about whether a use of force has happened or you mentioned possibly an armed attack. The essential piece of that then is of course, who is responsible for this conduct? And trying to then assess, okay, is it a state actor? Is it a. We've been talking about, quote, our sides, commercial, private sector. But we have to remember there's a commercial and private sector and there are private actors that are that side. Again, if we're now in a crisis phase, we start to have sides. So who is responsible within the international law construct for that? And is there a state that bears responsibility, in which case as a state I might have certain available avenues of action, or is it a non state entity? And I cannot make the attribution connection, but then I would have other avenues. Maybe there are sanctions, maybe there's criminal law avenues, maybe there's any number of possibilities there. And so that's one piece of it is understanding the attribution piece. The flip side of that attribution question is when are the actions or activities of the folks we've been talking about engaging with now somehow be attributable to the state on our side? And that's an equally important, important piece. And that I think gets very much into some of the discussion that we've been having about understanding the relationship, about sort of building awareness, education, training. And that goes both ways, right? It's not just the, hey, commercial entity. Let me share with you how international law works or how we view this question, or this is what happens, but it's also understanding what is the nature of this commercial entity's activities. Right. I and deepening our understanding of the connection between those activities and the government and the state, or perhaps linkages with partners and allies and so trying to understand that and knowing when, okay, I've been busy thinking about my own activities, but I got to be aware of what commercial actor is doing. Let's take an example. That is the more extreme example here, which is space. Right. We've been thinking about cyber, but it's kind of they're integrally linked. Right. And in space, we have an entirely different regime of state responsibility. We're not just talking about the idea of acting under the direction and control of which we might. The kind of general rules and attribution we see in the draft articles. But in space, we have a regime from the Outer Space Treaty which says that states bear international responsibility for national activities in space. And all of a sudden, most things that happen either on your territory or by, you know, actors in your territory become either definitely the responsibility of the state or potentially the responsibility of the state, depending again, on how you understand what national activities is. And. And all these other questions. To the extent that cyber and space have a very symbiotic relationship, which in many ways they do, it's important to understand all of those pieces and to know what those different sort of domestic commercial actors are doing. So you know how to plan and how to foresee what's coming.

Natalie Orput

Yeah. And which state is responsible for a multinational corporation that is in space. Adam, I'd like to pick up with you because Laurie spoke about, you know, acting as an attorney in the government and coming up with the left and right parameters, what's doable, and then needing to turn to the policymaker to make the decisions. And really, in the private sector, at least when you're talking about corporations, the person that they. That the lawyer is consulting with is not a policymaker or isn't, I suppose, in some sense, but is really someone who's charged with being concerned with business risk and with some of the other considerations that you mentioned earlier. So can you talk about how that differs?

Adam Hickey

Yeah, I guess I would say the mission is a little simpler, maybe in the private sector, because if you have shareholders, your prime directive is to maximize value to them. And then as we enter crisis, what that means I think becomes more complicated. So I think since at least the DDoS attacks on the banks in 2012 and 2013, and probably well before that, companies came to understand that cyberspace was going to be an area where they might face the brunt of retaliation for frustration with US Government policy. So I think there is very much a sense that even if they don't do nothing at all or have nothing to do with the crisis as it develops, they might end up feeling the consequences of it. So internally, if you see storm clouds brewing, one, it's going to matter whether is the US a part of this or not. Are we over here and sort of picking aside to help or not help or just stay out of the way or Is this actually implicating the homeland and the US Government? Because I do think that will make a difference. Second, is there a good guy and a bad guy or is this an incredibly complicated situation where whichever move we make is going to tee off a significant chunk of our constituency because that will matter to reputational risk? Third, how are we as a company exposed? Where are our personnel? What are our supply chains? What is our network exposure? And do we need to reposition or rethink what we're doing or how we're doing it just to stay out of the way so that we aren't, you know, this isn't primarily our problem. So how do we just keep maximizing value without being caught in the middle of this? Is there a risk of retaliation to our employees at some point because we're there physically? Low. What is the US Government going to use sanctions, its sanctions authority for? And do we need to be ready to divest or get out of the way quickly because something may be illegal for us to continue to do business in the way we're doing business? That I think is sort of the short list of things that would occur to me on day one of crisis, depending on where the company's doing business. Okay.

Natalie Orput

And Jonathan, I think this is really the moment at which I suspect with at least with smaller or less sophisticated private sector actors, they may all of a sudden realize they really need Jonathan Horowitz to come and talk to them and explain. So what is on your mind at this moment and what are you going to be advising them?

Jonathan Horowitz

I feel like I should be wearing a mask and a cape or something with that description. Thank you. No, I mean, I think what the ICRC is facing, finding and it really blends nicely. What was just mentioned is that while there's a natural understanding of some of the security risks involved in situations of armed conflict, naturally that there's not always a full understanding of what the legal frameworks are that apply. Right. And so a lot of companies, and I would say it's not even sort of only in relation to small or medium, but I think it really depends on the personalities involved and lawyers that are in the companies trying to be aware and understand that there is a legal framework that is in many ways so abnormal to what it is that they think about on a day to day and trying to comprehend what to do about that, either from a risk management or from how to engage in contracts with partners, is really something that the ICRC is trying to drive at. So what's the examples that the types of Examples that I'm talking about. The types of examples that I'm talking about are things like where a private technology company provides goods or services to a belligerent in a party to unarmed conflict such that their infrastructure might qualify as a military objective. And do company executives know that and do their lawyers know that? That is sort of the issue that I think is very much on our minds. It's been in the public. These are not abstract theoretical discussions. Yes, I wrote a law journal article on it. It was based on things that the ICRC was operationally seeing in the environments that we're working on. At the extreme end of this sort of set of examples has to do with employees. Are employees of technology companies engaging in activities that would engage in some way, shape or form constitute direct participation in hostilities. Now, the ICRC has its views on how to interpret the definition of direct participation of hostilities. States disagree with each other on what constitutes direct participation in hostilities. But the concept everyone agrees exists and there's large agreement on the criteria for direct participation in hostilities for civilians. At which point, of course, we all know it means they lose protection for such time as they do that from even a kinetic attack. So it could be a life or death conversation or consideration. That is also something that the ICRC thinks should at least be part of the risk management risk assessment. Risk evaluation. Now, that does not mean that we think that all other risk management assessment models should be tossed out the window. Because IHL is a prevailing legal framework that all companies must automatically sort of drop everything and pay attention to. But it's a blind spot if, if, if company lawyers and leadership are unaware of that dynamic, if they're unaware that the international humanitarian law rules and principles allow for that possibility of company property qualifying as a military objective and therefore losing what the ICRC regards as otherwise its default status as a civilian object and from civilian employees, which is how the ICRC regards technology. Company employees lose, for those exceptional, under those exceptional circumstances, their protection because they are directly participating in hostilities for such time as they do so. So that's sort of the space that we're entering into. It's going to be more relevant for some companies than others. It's going to be an immediate point of relevance for some companies and it may be one that is of future relevance for other companies, depending on where they're physically located, where they want to be physically located. So there's a lot to do here, but we're trying to sort of put a flag in the sand to sort of register some concerns that are based on real life operational circumstances that we're seeing across. And it's not just one or two armed conflicts, but but across several.

Laurie Blank

Hi, I'm Madupak Enola from TED Business and I'm here to talk about the Financial Times. Every day the world bombards you with endless headlines and noise. What matters most? Facts and context. That's where the Financial Times comes in. With clarity, depth and truly independent reporting, the FT helps you cut through the noise and and see what's real and why it matters. Stay informed with the trusted source leaders around the world rely on. Visit FT.comSourceFT to read more and save 40% on a digital FT subscription.

Natalie Orput

I'm done with subscriptions. Streaming fitness, razors, vitamins.

Adam Hickey

I've got subscriptions for everything in my life. They lock you in and half the.

Natalie Orput

Time I can't figure out how to unsubscribe.

Adam Hickey

That's why I'm so excited about the new Blue Apron. Now you can get delicious meals delivered.

Natalie Orput

With no subscription needed, including new pre made options. Keep the flavor, ditch the subscription.

Laurie Blank

Get 20% off your first two orders.

Adam Hickey

With code APRON20 Terms and conditions apply.

Laurie Blank

Visit blueapron.com terms for more AI agents.

Rubrik Agent Cloud Advertiser

Are everywhere, automating tasks and making decisions at machine speed. But agents make mistakes. Just one rogue agent can do big damage before you even notice. Rubrik Agent Cloud is the only platform that helps you monitor agents, set guardrails and rewind mistakes so you can unleash agents, not risk. Accelerate your AI transformation@rubrik.com that's R U B R-I K.com.

Natalie Orput

It does seem to me that if you are talking to a private sector actor for whom you can say, actually this law is really important to you because you may be converted to a military actor and therefore become legally targetable. It's more likely to get someone's attention. So let's switch into our armed conflict or our IHL hat is on. We are in our full fledged armed conflict. So let's talk about Adam. To start with you, what kinds of questions your clients will be asking you and I think just as salient, what questions you expect that they may not even think to ask. Along the lines of what Jonathan was describing.

Adam Hickey

I struggled a bit in preparing for this because I don't know what the ask is from the US Government in this hypothetical right? Well, here are three basic categories of asks. Are you buying a product from me? Is it the standard procurement Federal Service Services? You want a service that the military or the government will rely on. That's analogous to what I provide off the shelf or principally for militaries anyway, I feel like that's an easier bucket because the companies that sell that are used to thinking about their role in conflict to begin with. Are you asking for tips or leads or information sharing outside the context of process, like a more sort of soft cooperation? And there I think you start thinking about things like, and here maybe it's not the US Government asking, maybe it's, you know, a sympathetic country, but you're thinking about how will the information I provide be used, will it be used to commit a violation of ihl, which is something you have to think about a little bit. You do think about whether you're getting drawn into a conflict with that. You also think about the laws that govern sharing with the US Government and the like. And so that's one second type of ask and the third type of ask, which is, I'll just call it the weird ask. So it's the surreptitious access to the company's network or products or something that's secret, not paid for, not procured. And it's kind of an under the table cooperation, which I can't even really imagine the full range of things, but I can imagine happening in conflict. And there, I think is the highest level of risk for the company because there's what you're doing and then there's what could maybe become public at one point, what the claim is for retaliation that's justified, what other customers are I mentioned the Europeans and so forth, what they're going to think about this. So I guess to answer your question, I need to know what the ask is. And it gets progressively harder the more we walk down that road. But the basic categories of legal questions would be, is it prohibited? Are being asked for something that's somehow a violation of either this law or another domestic law. Then you think about the bucket of retaliatory or reputational risks. And I would fold IHL a little bit into that. Although I'll be candid that I don't feel like some of our adversaries are really consulting with Jonathan on when the targets are legitimate or not. So I would be inclined to approach this a little more guerrilla. Like I think the clients would think less about whether they've crossed the line in some legal sense to warrant retaliation. As a more basic, Am I going to get tagged with this and is it going to come back to bite me whether the law says it can or not? If that makes sense.

Natalie Orput

Laura, you've been eager to get to our conflict moment. But let me ask you also, you know, under international law, the role of the private sector and the way in which cooperation happens has very different implications both for, for the risk exposure of the private actor as well as the potential liability, legal or otherwise, of the US government. So can you talk a little bit about that?

Laurie Blank

I actually wanted to add a couple of buckets to your buckets.

Adam Hickey

Please do. I forgot to mention insurance, but we can come back to that.

Laurie Blank

I definitely was not going to mention insurance. So. Okay, try never to mention insurance. I would add in to that things that are not as obviously driven by a relationship between the company and the government or potential relationship between them. And so activities that are part of the company's business, like say the provision of satellite services or the provision of any number of services to perhaps other private actors to any number of other groups. We see that it is not a new story that states do not are not the, you know, monopolistic actor during armed conflict anymore. So that would be one, one piece. You develop an app that is, you intend it to be used for X and during conflict, enterprising innovative, you know, creative people figure out they can use it for why. And all of a sudden what does that mean both for your company, what does it mean for the way the government is going to think about your company? Right. And we have lots of examples from Ukraine about both the actual deliberate development of apps for the purpose of providing information and so on, but also just the use of other things, of course, crowdsourcing information about violations. And so if you're a company that somehow that's sort of part of the services that you provide in the pre conflict stage and now it gets used. What does that mean? And the, the other one I think is, is driven by the everyday unremarkable ordinary level of integration and redundancy between civilian and military networks.

Jonathan Horowitz

Right.

Laurie Blank

I think there's some, I don't remember a statistic I saw that was cited several years ago was something like 98%, you know, sort of overlap between military and civilian networks. I have no idea what the actual number is. I just was like in doing some reading, you know, for this I saw that, I thought, well, that's a pretty high number. So what does that mean in terms of if the, the company uses those same pathways of communication, those same, you know, maybe even an easier example is a satellite bus with multiple payloads on it. One of those payloads is military. One of those is your companies to do whatever, maybe you provide weather forecasting. Any number of Things just understanding the exposure that your company's assets, that your company's services, that your company's people have by dint of being essentially cheek by jowl with military capabilities and military assets and military objects. That's also critically important. You may have nothing to do with the conflict. You may be trying to stay far, far away from it, but just the nature of our current system of communication and, and cyber space and everything is that you can't, you, you can't escape it. Right? You're trying to get away and, and you're intimately tangled together.

Adam Hickey

I do think the example of companies I think are, have an easier time dealing with misdirection or misuse of their products. Right. When it comes to like, let's imagine the conflict is over there and my app is being misused in that way, I can take that on board and I can use the same framework I use to think about sanctions, export controls or any number of like, content on the platform. What do I do about that? Terrorist use of the Internet, so forth and so on. There's a framework of like, okay, I don't want my thing to be used that way anymore and you can deal with that. I think that harder piece is the last bucket you mentioned where I don't fully appreciate who I'm riding along with and I maybe not be fully prepared for the disruption. I may not even be a target, but I'm not prepared for the operational disruption that comes with being in cyberspace or physically located in a particular zone. Nor do I think companies are used to, even though, I mean, I think they're oddly. We haven't dealt with a situation where the US is in conflict and making extraordinary asks of the private sector. And I can't really predict how that will go. And I think that's, I think that is kind of the elephant in the room is like, what if the conflict involves us and another power that we are exposed to as a company in their market? That is going to be much more complicated how to work through that? Because some of your questions, Natalie, in advance, were related to legal authorities. And I was in a lot of meetings in government where people were throwing around statutes written many, many years ago that I think don't quite let you do that. The DOJ guy, me would be like, shut up. Okay, so we're not going to. But I just think we're not used to thinking through because we don't have a command economy. It's going to be very interesting sort of how we get to the right place. It's not going to be, I think by hard law, it's going to be through sort of clear communication by the government to the companies of what the ask is and sort of them thinking through our what are our risks and how we're going to approach that ask. And then there's insurance, by the way. So to what extent when you say yes, are you implicating not only the risk of retaliation, but also are you, you know, tripping up something that would otherwise pay you back, you know, help reimburse you for cost because you've suddenly made yourself a combatant in a way that voids your policy?

Laurie Blank

And just to jump in really quick on the insurance piece, and I don't have the statutes and things at my fingertips, but understanding what it means when a statute says, you know, at war, when it has these war related phrases in it that all of a sudden trip up what your expectations are of your insurance coverage I think is also important.

Jonathan Horowitz

One thing that I would reflect on is that the issue of bridges, airports, roadways, hills being used by civilians and being used by militaries have long plagued legal advisors providing advice to whoever they need to provide advice to on how the rules of international humanitarian law apply. It might be slightly on steroids a little bit with regard to the digital ecosystem where that's happening, but these are not unique issues to the battle space or to international humanitarian law. I think they are unique issues to the private sector that hasn't operated in a conflict environment, where they raise tricky questions. And so in so much as there are hot debates around what constitutes an attack under international humanitarian law and what protections international humanitarian law afford civilian data and whether it's the same protections that's afforded to civilian objects or live issues, the ICRC has positions on them. Some states have positions on them. Some states do differ on their positions. Some states have decided not to take a position on them. So I don't want to say that everything's easy and it's just a matter of transferring what we know from the more conventional kinetic world of international humanitarian law into the cyber context. But it means that those struggles have been there for a long time. And the reason why I say this is because I think some people who their contact point with international humanitarian law for the first time is a very complicated issue, will immediately go to their comfort zone of other legal frameworks. And I guess what we're trying to say is there are already legal frameworks in place. They do provide operational legal challenges. That is true for cyberspace, but that is not new to Cyberspace, and we were talking about a tagline. And I think that is true to cyberspace, but that is not new to cyberspace, is maybe one that I'll go with. But that's a big reflection point for the icrc. Right. Our point is you don't need to go reinventing the wheel, don't go making new international humanitarian law unless you're certain there's a gap there. IHL does a lot of work with regard to military cyber operations, but it does require socializing, disseminating, explaining, and working through difficult questions that have existed long before. The difficult questions that we're discussing on.

Laurie Blank

This panel, Jonathan, what you're talking about raises, kind of brings us all the way back to the initial conversation about the importance of communication and awareness and so on, because when you're talking about we've been thinking about these questions about when a hill or a bridge, et cetera. The difference, of course, is that you can see the bridge, you can see the hill, you can see military activity potentially happening there, et cetera. You can't see when there's overlap in the cyber world. Now, obviously there will be, you know, both government and commercial actors who have significant visibility into the space where they're operating and who else is operating there. But you still don't have, particularly if we kind of step back from those big actors into other private actors. As an individual user, you probably have absolutely no idea what the level of whether overlap or integration might be between the network on which I send my emails, or just to be oversimplified, and a network on which the military might be sending comms during a conflict. And now I think my email is going to get to mom, but it has actually, you know, that data is, if it can be considered data, as an et cetera, et cetera, all those arguments. Right. It's now incidentally harmed in some way.

Adam Hickey

Right.

Laurie Blank

I've taken liberties with the law there, but you understand the point. And so I think that's one piece that kind of emphasizes the need for whatever conversations are helpful to increase this level of awareness is because you can't see literally visually those overlaps, those things. And as you're saying, you might not even be thinking about that because you're busy thinking about your own lane. And it's not in your face that, whoa, there's military activity happening right there. Whereas if you were a factory and you saw, you know, troops exercising before deployment on the next field over, again, to be super simplified, you might say, huh, we're really close to those people Maybe that doesn't seem like the safest thing. Right. That would be a very obvious visual manifestation of it. But we don't have that. And I think that actually is somewhat consequential.

Natalie Orput

Thanks. I want to take some questions and in the meantime, I will invite the three of you to think about coming out of this discussion. If the goal here is to build durable partnerships, to have clear and successful means of coordinating between private and government, what would be the sort of top one or two things that you would advise that are really necessary for getting those into place? Now, I will open it up for questions.

Jonathan Horowitz

So it sounds like we've all sort of agreed that some sort of pre crisis, land of milk and honey education is required, sort of with all interested parties. I guess the question then, if that is the case, for sort of a better understanding across the board, pre crisis, is the allocation of the current allocation of responsibility between public and private sector adequate? Is it correct? Does it put the responsibility on the right party to begin the conversation, to continue the conversation, and who should sort of bear that burden?

Adam Hickey

Well, I'll come back. I don't know. I don't still know what the ask is. I mean, I'll tell you. So take procurement out, right? So if the government wants something and it can buy it, there's a way of handling that. There's a policy process in a company. So take procurement out, okay? So then what's left is something that's hard to predict, but some kind of cooperation between the government or warning. I would just say the best examples I can point to are ones where, and this has often been in the law enforcement context where I've seen it, law enforcement goes to a company proposes, say a disruption operation or a takedown or a cyber operation, use whatever term you want, and is pretty transparent about what it wants to do and how it wants to do it, sometimes gets a court order, so there's a transparency, and it eventually becomes public. It's easy, I think, for a company to think through that and make an informed decision. What I would suggest to you is not what we cannot do now because no one here is saying what company will be asked to do what outside of procurement is plan in advance for that moment. So I don't know how you have the shifting of the burden from the public to the private sector or the like until there's a very clear understanding of, okay, what are you exactly asking me to be ready for. And I've been in many conversations where the government's ask is not because of the sensitivity of it not made clearly. And so the recipient doesn't really understand what the government's trying to do or why they're trying to do it. And so I would just say if you're planning for the future, plan to communicate transparently in the crisis or in conflict, it's going to have to look a lot different from the fairly vague. I can only tell you so much that comes over in steady state periods, sometimes outside of procurement.

Jonathan Horowitz

Can I just add to that? So the other thing that we've been observing, which should be obvious but isn't always, is that different companies provide different goods and services, which means the legal ramifications are completely different. Right? So social media platforms compared to cloud computing services compared to different types of information technology providers are going to engage with risks around situations of armed conflict and they're going to engage with the rules of international humanitarian law very, very differently. And so I think this goes to the point that there also needs to be, and I don't mean transparent in the sense of publicly available, but transparent in the sense of what is the private sector, what is the government specifically asking the private sector to do? And then at least with my international humanitarian law, ICRC hat on, what are the legal implications that can pose particular risks, whether from a targeting perspective or confiscation of property perspective or worker safety perspective, we're talking about direct participation of hostilities. That those questions and that conversation needs to be a transparent one between the service provider and in this case, we're talking about a belligerent, a party to an armed conflict. So that's a government private sector dialogue that has to happen. I think generally there's a broader dissemination sort of conversation. That's what this is. That's why I'm so pleased that this panel was part of U.S. cyber Command's annual legal conference. I think that is part of the sort of road to sort of success on trying to explore these issues that are not, in my estimation at least going away anytime soon. And then I think it is going to be incumbent, perhaps even before some of those conversations with governments, for technology companies to look inwards. They're probably not going to again, want to do it publicly, to do their own self evaluation, self assessment. What is our infrastructure? What are our goods and services being used for? They've covered a lot of risks. The insurers forced them to, regulators forced them to think about these things. But that's largely absent from these issues that we've been talking about to talking about today in terms of targetability, whether it has to do with property or personnel. So I think there are a number of different entry points to have a conversation and I think they can go in a lot of different directions depending on what the issue is that you're trying to resolve and what question you're being asked.

Natalie Orput

Another question please.

Audience Member

Mr. Horitz. Among the core principles of the ICRC are impartiality, neutrality, given the involving nature of the battlefield, cyber activities and such, and technology. Have there been or do you foresee instances in which the ICRC would withhold or limit that assistance to victims on the battlefield?

Jonathan Horowitz

Thank you for the question. Am I right that that is not a cyber specific related question?

Audience Member

No, it's just when I see the term business of battle, I just have connotations of how it's changing, evolving. When we think of armed conflict, it's evolving to something now where we can have conflict that's not geographically isolated to a particular region. It can be cyber attacks that are conducted from outside the region. And when I think of the ICRC's traditional assistance of providing that humanitarian aid to victims on the battlefield, but with cyber activities, you don't know who's the belligerent anymore. I think if I correct, you began your presentation by mentioning There are some 600 non state actors of which ICRC has assisted. About 400 or at least are aware of about 400. Are there some of those non state actors, for example, that you would not support because it might be a breach of your core principles of impartiality and neutrality?

Jonathan Horowitz

Great. Thank you for taking the time to clarify that. So the ICRC is going to engage with any party to an armed conflict because every party to an armed conflict has legal obligations under international humanitarian law. So if a government is particularly unhappy with a non state armed group, labels them a criminal gang, labels them a terrorist organization as a legal matter under international humanitarian law, the ICRC sees them through the lens of a party to an armed conflict who has legal obligations under international humanitarian law. They have an obligation to respect and ensure respect for those obligations. And so we are going to engage with them. There is a separate question around how we provide humanitarian assistance. Right. So those are two different things. Those are operational dialogues. That's the first thing that I was mentioning. And then there are questions around providing humanitarian assistance. The bulk of what we do is, is going to be for civilian populations, including those who are under the control of parties to an armed conflict, whether they're a non state armed group or whether they're part of a government military. I do not see what's happening with regard to the digital ecosystem in conflict changing how the ICRC would approach its neutrality, impartiality and independence? I'm not sure if that gets to the question you're asking, but I appreciate being asked. Thank you.

Natalie Orput

We are running up against time, so my challenge to you has gone up in ante and now you must have a bumper sticker explanation of what your main takeaways would be of how to promote cooperation and partnerships. Adam, you want to start?

Adam Hickey

I used it on the question that's my bumper sticker.

Laurie Blank

My bumper sticker would be Beware of the line between engaging and all of a sudden bearing attribution and responsibility for. So be careful or think about where that line is in engaging with the private sector and yet not having them operating under your direction and control.

Jonathan Horowitz

Jonathan, the private sector has protections under international humanitarian law. It can lose those protections and it also has obligations. Read the Geneva Conventions, read the Additional Protocols, and give the ICRC a call if you have any questions.

Natalie Orput

Excellent. Thank you so much. The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad free versions of this and other Lawfare podcasts by becoming a LawFair material supporter at our website, lawfairmedia.org support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts. Look out for our other podcasts, including Rational Security, Chatter, Allies and the app Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work@lawfairmedia.org the podcast is edited by Jen Patia and your audio engineer. This episode was Kara Shillin of Goat Rodeo. Our theme music is from Alibi Music. As always, thank you for listening.

Rubrik Agent Cloud Advertiser

AI agents are everywhere, automating tasks and making decisions at machine speed. But agents make mistakes. Just one rogue agent can do big damage before you even notice. Rubrik Agent Cloud is the only platform that helps you monitor agents, set guardrails and rewind mistakes so you can unleash agents, not risk. Accelerate your AI transformation@rubrik.com that's R U B R-I K.com.